Skip to content

Commit e73f0df

Browse files
NataliaIvakinaNataliaIvakina
authored
Clarify FIPS cipher configuration (#2343) (#2353)
1 parent 91b8746 commit e73f0df

File tree

1 file changed

+23
-4
lines changed

1 file changed

+23
-4
lines changed

modules/ROOT/pages/security/ssl-fips-compatibility.adoc

Lines changed: 23 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -189,6 +189,25 @@ SSL configuration is described in detail in xref:security/ssl-framework.adoc#ssl
189189

190190
This section describes configuration that must be done *in addition to* standard non-FIPS compliant SSL configuration.
191191

192+
[NOTE]
193+
====
194+
* The following group of FIPS-compatible cipher suites are for use with TLSv1.2:
195+
+
196+
** `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`
197+
** `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`
198+
** `TLS_DHE_RSA_WITH_AES_256_GCM_SHA384`
199+
** `TLS_DHE_RSA_WITH_AES_128_GCM_SHA256`
200+
+
201+
They require additional configuration in the application or OpenSSL settings.
202+
203+
* The following cipher suites are supported by default in OpenSSL when using TLSv1.3:
204+
+
205+
** `TLS_AES_256_GCM_SHA384`
206+
** `TLS_AES_128_GCM_SHA256`
207+
+
208+
These suites do not require any additional configuration when OpenSSL is built with FIPS support.
209+
====
210+
192211
[[bolt-ssl-fips]]
193212
=== Bolt
194213

@@ -202,7 +221,7 @@ This section describes configuration that must be done *in addition to* standard
202221
dbms.ssl.policy.bolt.trust_all=false
203222
dbms.ssl.policy.bolt.tls_level=REQUIRED
204223
dbms.ssl.policy.bolt.tls_versions=TLSv1.2,TLSv1.3
205-
dbms.ssl.policy.bolt.ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_128_CCM_8_SHA256,TLS_AES_128_CCM_SHA256
224+
dbms.ssl.policy.bolt.ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256
206225
----
207226
. Follow the instructions in xref:security/ssl-framework.adoc#ssl-config-private-key[SSL Framework -> Using encrypted private key] to configure `dbms.ssl.policy.bolt.private_key_password` to dynamically read the password from an encrypted password file.
208227
The password must *not* be set in plain text.
@@ -222,7 +241,7 @@ This section is only applicable if HTTPS is enabled.
222241
dbms.ssl.policy.https.trust_all=false
223242
dbms.ssl.policy.https.tls_level=REQUIRED
224243
dbms.ssl.policy.https.tls_versions=TLSv1.2,TLSv1.3
225-
dbms.ssl.policy.https.ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_128_CCM_8_SHA256,TLS_AES_128_CCM_SHA256
244+
dbms.ssl.policy.https.ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256
226245
----
227246
. Follow the instructions in xref:security/ssl-framework.adoc#ssl-config-private-key[SSL Framework -> Using encrypted private key] to configure `dbms.ssl.policy.https.private_key_password` to dynamically read the password from an encrypted password file. The password must NOT be set in plain text.
228247

@@ -240,7 +259,7 @@ dbms.ssl.policy.cluster.enabled=true
240259
dbms.ssl.policy.cluster.tls_level=REQUIRED
241260
dbms.ssl.policy.cluster.client_auth=REQUIRED
242261
dbms.ssl.policy.cluster.tls_versions=TLSv1.2,TLSv1.3
243-
dbms.ssl.policy.cluster.ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_128_CCM_8_SHA256,TLS_AES_128_CCM_SHA256
262+
dbms.ssl.policy.cluster.ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256
244263
----
245264
. Follow the instructions in xref:security/ssl-framework.adoc#ssl-config-private-key[SSL Framework -> Using encrypted private key] to configure `dbms.ssl.policy.cluster.private_key_password` to dynamically read the password from an encrypted password file.
246265
The password must *not* be set in plain text.
@@ -260,7 +279,7 @@ dbms.ssl.policy.backup.enabled=true
260279
dbms.ssl.policy.backup.client_auth=REQUIRED
261280
dbms.ssl.policy.backup.trust_all=false
262281
dbms.ssl.policy.backup.tls_versions=TLSv1.2,TLSv1.3
263-
dbms.ssl.policy.backup.ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_128_CCM_8_SHA256,TLS_AES_128_CCM_SHA256
282+
dbms.ssl.policy.backup.ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256
264283
----
265284
. Follow the instructions in xref:security/ssl-framework.adoc#ssl-config-private-key[SSL Framework -> Using encrypted private key] to configure `dbms.ssl.policy.backup.private_key_password` to dynamically read the password from an encrypted password file.
266285
The password must *not* be set in plain text.

0 commit comments

Comments
 (0)